b'                      UNITED STATES NUCLEAR REGULATORY COMMISSION\n\n\n\n\n                                    tion di ge st\n                       IG In f or ma\n                     O\n\n                                                                            Volume 2, Number 1\n                                                                          NUREG/BR-0304 May 2004\n\n\nTo tell or not to tell\nThis issue of the OIG     Safeguards Information        \xe2\x80\xa2   Documents released         OIG has received\nInformation Digest is     (SGI) concerns the physi-         through the Freedom        many allegations\nintended to make new      cal protection of operating       of Information Act         and has conducted\nand veteran NRC em-       power reactors, spent fuel        (FOIA) process             14 investigations in\nployees more aware of     shipments, or the physical    \xe2\x80\xa2   The mail                   the recent past relat-\nthe problems                    protection of special   \xe2\x80\xa2   Discussion of sensitive    ing to the inadvertent\nthat can be en-                 nuclear material.           information in public      release of safe-\ncountered                                                   meetings or public         guards information,\nwhen working                    Proprietary infor-          places                     information through\nwith sensitive                  mation (PROPIN)         \xe2\x80\xa2   Documents left on          the FOIA, classified\nunclassified                    concerns trade se-          printers or in the copy    information, and offi-\ninformation.                    crets, commercial,          machine                    cial use only infor-\nThere have been occa-     and financial information.    \xe2\x80\xa2   Documents left on a        mation.\nsions in the past few                                       desk\nyears when sensitive      Official Use Only (OUO)       \xe2\x80\xa2   Unsecured                  However, in each\nNRC information has       information concerns              floppy                     case, these releases\nbeen released to the      agency records, privacy           disks                      were deemed not to\npublic. It is important   data, and investigative re-   \xe2\x80\xa2   Improperly                 be deliberate and\nthat you, as a Govern-    ports.                            disposed                   willful acts.\nment employee, are                                          information\naware of what types of    Be mindful of the avenues         in a recycle\ninformation you are ob-   through which sensitive           box\nligated to disclose and   information can be inad-      \xe2\x80\xa2   Unsecured safes\nwhich types must be       vertently released:           \xe2\x80\xa2   Shared computer\nprotected.                                                  passwords\n                                                                                             Inside this issue:\n                          \xe2\x80\xa2   E-mails\nProhibited Disclosure     \xe2\x80\xa2   Agencywide Docu-\n                                                                                      To Tell Or Not To Tell       1\n                              ments Access and\nThe following are the         Management System                                       OIG Audit Reports           2-4\ntypes of information          (ADAMS)                                                 Credit Repair Scam          4-5\nthat should not be di-    \xe2\x80\xa2   Telephone conversa-\nvulged to those without       tions\na need to know. The       \xe2\x80\xa2   Unattended computer\nNRC handles three             terminals with sensi-\ntypes of sensitive un-        tive information on the\nclassified information:       screen\n\x0cPAGE 2                                                                    OIG INFORMATION DIGEST\n\n\nOIG Audit Reports\nOIG Audit Reports Continue              more than 700 non-public         physical protection of special nu-\nto Focus on Preventing Inap-            documents which included         clear material. SGI is to be pro-\npropriate Release of Informa-           proprietary information sub-     tected in accordance with NRC\xe2\x80\x99s\ntion                                    mitted by licensees and per-     sensitive unclassified informa-\n                                        sonal information such as        tion security program. In accor-\nPreventing the inadvertent re-          employee social security         dance with NRC\nlease of sensitive NRC informa-         numbers and                      Management Direc-\ntion to the public has been an          birth dates.                     tive and Handbook\nongoing concern for NRC in re-                                           12.6, "NRC Sensitive\ncent years. Examples of such        \xe2\x80\xa2   Release of an Of-                Unclassified Informa-\nreleases, while not frequent,           ficial Use Only                  tion Security Pro-\nhave occurred often enough to           (OUO) prelimi-                   gram," SGI must be communi-\nindicate that prevention de-            nary draft of the Yucca          cated over secure telecommuni-\nmands an ongoing, rigorous ef-          Mountain Review Plan.            cations equipment, not be proc-\nfort by the agency to keep em-                                           essed on the local area network,\nployees aware of their responsi-    \xe2\x80\xa2   Distribution of documents        be properly marked, and include\nbilities and to review and im-          including safeguards infor-      a cover sheet to facilitate its rec-\nprove procedures for protecting         mation (SGI) pertaining to       ognition.\nthis information.                       NRC\xe2\x80\x99s force-on-force secu-\n                                        rity testing program.            OIG found that NRC\xe2\x80\x99s program\nSince 1999, the Office of the In-                                        to protect SGI had three weak-\nspector General has issued four     \xe2\x80\xa2   Verbal disclosure of SGI per-    nesses: (1) The benefit of the\naudit reports specifically ad-          taining to the force-on-force    SGI designation as sensitive un-\ndressing the need to protect            program during an indus-         classified information was not\nsensitive agency information            try-sponsored meeting.           clear, (2) NRC and licensee rep-\nfrom inadvertent release to the                                          resentatives had inappropriately\npublic. Some themes in these        One of these audits was initiated    released SGI to unauthorized\nreports reflect the need to pro-    in response to a congressional       individuals because of handling\nvide training, consolidate and      request, one was in response to      errors and differing interpretation\nclarify guidance, and maintain      a request from the NRC Chair-        of what constitutes SGI, and (3)\nrecords of inadver-                 man, and two were initiated by       NRC lacked a central authority\ntent releases so that               OIG. The following are summa-        for controlling, coordinating, and\ntrends can be identi-               ries of these four audit reports,    communicating SGI program re-\nfied. The reports de-               beginning with the most recent.      quirements.\nscribed instances\nwhere information                   OIG-04-A-04, Audit of NRC\xe2\x80\x99s          OIG-03-A-01, Review of NRC\xe2\x80\x99s\nwas inadvertently released to       Protection of Safeguards In-         Handling and Marking of Sen-\nthe public.                         formation (January 8, 2004)          sitive Unclassified Information\n                                                                         (October 16, 2002)\nExamples included the inappro-      This audit sought to determine\npriate:                             whether NRC adequately de-           The objective of this review was\n                                    fines SGI, prevents the inappro-     to assess NRC\xe2\x80\x99s program for the\n\xe2\x80\xa2   Release of names and iden-      priate release of SGI to anyone      handling, marking, and protec-\n    tifying information in two      who should not have access to        tion of OUO information. OUO\n    Freedom of Information Act      it, and ensures the protection of    is one category of sensitive un-\n    (FOIA) responses resulting      SGI. SGI deals with information      classified information that in-\n    in legal action against NRC.    related to the physical protection   cludes personnel records, pri-\n                                    of operating power reactors,         vacy data, investigative reports,\n\xe2\x80\xa2   Release through ADAMS of        spent fuel shipments, or the         and predecisional or internal\n\x0cVOLUME 2, NUMBER 1                                                                                    PAGE 3\n\n\nOIG Audit Reports                                  (con\xe2\x80\x99t from page 2)\n\nNRC data. This category of in-        The objective of this review was      ess was taking into considera-\nformation requires special han-       to assess the cause of an unau-       tion the need to protect sensitive\ndling to ensure only limited inter-   thorized release of non-public        data from unauthorized release.\nnal distribution and no disclo-       information to the Agencywide\nsure to the public. Some OUO          Documents Access and Man-             The audit found that NRC\xe2\x80\x99s\ninformation is intended to be re-     agement System (ADAMS) pub-           guidance and policies concern-\nleased to the public after certain    lic library. ADAMS is NRC\xe2\x80\x99s           ing sensitive information were\nconditions have been met such         electronic record keeping sys-        scattered among many manage-\nas official approval of the docu-     tem that maintains the official       ment directives, manuals, and\nment.                                 records of the agency. ADAMS          other documents. This in-\n                                      is also NRC\xe2\x80\x99s public information      creased the potential for staff to\nOIG found that NRC\xe2\x80\x99s guidance         dissemination                         miss or misapply pertinent guid-\nfor protecting OUO documents          system that                           ance and that inadvertent re-\nfrom inadvertent public release       places publicly                       leases of sensitive information\nwas inadequate. Specifically,         available records                     occur because staff have varied\nthe use of OUO cover sheets           on NRC\xe2\x80\x99s public                       levels of training and awareness\nwas left to the discretion of the     Web server.                           regarding the handling of this in-\ndocument originator. In addi-         The ADAMS                             formation.\ntion, individual pages of docu-       Public Library contains duplicate\nments were not always marked          copies of publicly available offi-    Agency Actions in Response\nand were therefore vulnerable to      cial agency records copied from       to OIG Audits\npublic disclosure if separated        the ADAMS Main Library.\nfrom the cover sheet. Consis-                                               Each of these audit reports con-\ntent markings were not used on        The audit found that ADAMS            tained recommendations to NRC\nsensitive unclassified docu-          software controls were inade-         for strengthening controls to pro-\nments that were marked, which         quate to prevent the unauthor-        tect sensitive information from\nadded to the confusion sur-           ized release of documents, the        inadvertent release. Some\nrounding the proper marking and       ADAMS security plan did not en-       changes that NRC has imple-\nhandling of sensitive unclassi-       tirely identify risks to the system   mented as a result of these rec-\nfied information.                     and was not finalized, and com-       ommendations include:\nAuditors also                         munication was ineffective sub-\nfound that many                       sequent to the unauthorized re-       \xe2\x80\xa2   Redesign of OUO and SGI\nemployees                             lease of non-public documents.            cover sheets to clearly illus-\nwere not knowl-                                                                 trate and explain required\nedgeable about                        OIG/98A, Review of NRC Con-               document markings and ac-\nNRC\xe2\x80\x99s guid-                           trols To Prevent the Inadver-             cess requirements.\nance and requirements in this         tent Release of Sensitive In-\narea because training on han-         formation (February 2, 1999)          \xe2\x80\xa2   Revision of several manage-\ndling, marking, and protecting                                                  ment directives to clarify\nsensitive unclassified informa-       This audit sought to determine if         agency guidance concerning\ntion was not provided to all NRC      NRC\xe2\x80\x99s management controls for             OUO protection.\nemployees and contractors on a        protecting sensitive information\nregular basis.                        from inadvertent release were         \xe2\x80\xa2   Revision of ADAMS operat-\n                                      adequate and whether NRC was              ing procedures to adequately\nOIG-01-A-16, Review of the            implementing the agency\xe2\x80\x99s guid-           control the process for copy-\nUnauthorized Release of               ance to protect this information          ing documents from the Main\nDocuments to the ADAMS                from inadvertent release. The             Library to the Public Library.\nPublic Library, (September 24,        audit also sought to determine if\n2001)                                 the ADAMS development proc-\n\x0cPAGE 4                                                                              OIG INFORMATION DIGEST\n\n\nOig audit reports                                    (Cont. from page 3)\n\n \xe2\x80\xa2   Mandatory annual employee\n     training concerning the pro-\n     tection of sensitive unclassi-\n     fied information.\n\n \xe2\x80\xa2   Improved cross-referencing of\n     management directives to fa-\n     cilitate employee awareness\n     of agency guidance concern-\n     ing the protection of sensitive\n     information.\n\n\n\nCredit repair scam                             (Article from the National Consumer\xe2\x80\x99s League)\n\n\nIn the last issue of the OIG Infor-    The following tips are intended to         quest a copy. There may be a\nmation Digest, we provided in-         help you avoid falling victim to this      small fee, if your State law does\nformation concerning identity          type of scam:                              not provide for one free report a\ntheft. A lesser known scam that                                                   year. However, it doesn\xe2\x80\x99t cost\nis targeting individuals across        No one can erase negative infor-           anything to question or dispute\nthe country is referred to as the      mation if it\xe2\x80\x99s accurate. Only in-          items in your report. Follow the\ncredit repair scam. This scam          correct information can be re-             instructions provided by the\ninvolves people that currently         moved. Accurate information stays          credit bureau. The major credit\nhave a problem with their credit       on your record for 7 years from the        bureaus are:\nratings or have had problems in        time it\xe2\x80\x99s reported (10 years for            Equifax, 800-685-111,\nthe past.                              bankruptcy). Even information              www.equifax.com;\n                                       about bills you fell behind on but         Experian, 800-682-7654,\nThe Scam                               now are paid will remain on your           www.experian.com; and\n                                       report for these time periods.             Trans Union, 800-916-8800,\nEveryday, companies nation-                                                       www.transunion.com. Contact\nwide appeal to consumers with          Credit repair services can\xe2\x80\x99t ask           all three, as the information each\npoor credit histories. They            for payment until they\xe2\x80\x99ve kept             has may vary.\npromise, for a fee, to                          their promises. Federal\nclean up your credit re-                        law also requires credit re-      You can add an explanation to\nport so you can get a                           pair services to give you an      your report. If there is a good\ncar loan, a home mort-                          explanation of your legal         reason why you\ngage, insurance, or                             rights, a detailed written        weren\xe2\x80\x99t able to\neven a job. The truth                           contract, and 3 days to           pay bills on time\nis, they can\'t deliver.                         cancel (this applies to for-      (job loss, sudden\nAfter you pay them hundreds or         profit services, not to nonprofit or-      illness, etc.) or\nthousands of dollars in up-front       ganizations, banks and credit un-          you refused to\nfees, these companies do noth-         ions, or the creditors themselves).        pay for something because of a\ning to improve your credit report;                                                legitimate dispute, give the\nmany simply vanish with your           You can correct mistakes on                credit bureau a short statement\nmoney .                                your credit report yourself. If you        to include in your file.\n                                       were recently denied credit be-\n                                       cause of information in your credit\n                                       report, you have the right to re-\n\x0c VOLUME 2, NUMBER 1                                                                             PAGE 5\n\n\n\n\n       Organization\nUNITED STATES NUCLEAR REGULATORY\nCOMMISSION\n\n\nOffice of the Inspector General\n11545 Rockville Pike\nMail Stop T 5D28\nRockville, MD 20851\n\n\n\nHotline: 800-233-3497\nFax: 301-415-5091\n\n\n\n\n         We\xe2\x80\x99re on the\n           Web!!\n\n\n\n\nCredit Repair scam                                   (cont. from page 4)\n\nKnow that you can\xe2\x80\x99t create a          vices are offered for free or at a   ployees who are experiencing\nsecond credit file. Fraudulent        very low cost. To find the near-     financial problems are referred\ncompanies sometimes offer to          est CCCS office, call toll-free,     to local credit counseling agen-\nprovide consumers with different      800-388-2227, or go to www.          cies.\ntax identification or social secu-    nfcc.org.\nrity numbers in order to create a                                          All inquiries and services to the\nnew credit file. This practice,                                            EAP are kept confidential within\ncalled \xe2\x80\x9cfile segregation,\xe2\x80\x9d is ille-   As an NRC employee, you are          the law and all records are pro-\ngal, and doesn\xe2\x80\x99t work.                entitled help from the NRC           tected by law (42 CFR Part 2).\n                                      Employee Assistance Pro-\nIf you have credit problems,          gram (EAP). There are bene-\nget counseling. Your local            fits provided by the EAP if you\nConsumer Credit Counseling            are experiencing financial diffi-\nService (CCCS) can provide ad-        culties and do not know who to\nvice about how to build a good        turn to for help. The EAP will\ncredit record. The CCCS may           provide assessment, referral,\nalso be able to make payment          and short-term problem resolu-\nplans with your creditors if          tion for a number of personal\nyou\xe2\x80\x99ve fallen behind. These ser-      and worksite-based issues. Em-\n\x0c'